All things app security: A security engineer speaks

1. Could you tell us about your journey in the cybersecurity domain? When and how did it start?

For many years, I worked on the quality aspects of software, which involved dealing with performance, reliability, maintenance, and so on. Since 2015, I've worked in roles that deal with software security. I made this shift as I understood the importance of cybersecurity: one vulnerability is all it takes to provoke a real disaster in a company.

2. How would you describe your current role? What do security engineers do?

As an application security engineer, I take care of the security aspects of software development. My role involves running different types of security scans: static analysis, dynamic analysis, container analysis, and more. One of my most important responsibilities though is resolving issues. I help prioritize vulnerabilities and help the team fix them.

3. How does your role contribute to keeping your organization safe from cyberattacks?

Being able to deliver secure software is crucial to avoid issues in production. It is one important step in the chain, but not the only one: network traffic, infrastructure scans, cloud security, and security policies—and there are many other security aspects to take care of! Cybersecurity is an amazing but huge world to work in.

4. What security attacks does a security engineer deal with on a regular basis?

SQL injection, cross-site scripting, and hard coding credentials (a practice of embedding credentials into the source code of an executable) are some of the issues our scans commonly detect.

5. What are some of the common mistakes most security engineers make that should be avoided?

We need to avoid using default credentials. It is crucial to change them regularly. The username and passwords admin/admin or root/root are the first things an attacker will try.

6. Spain has been subject to multiple cyberattacks of late. Why would you say this is? What can organizations do better to secure their data?

Tech companies are growing in Spain, and so is the adoption of advanced technology. This goes hand-in-hand with an increase in the number of attacks that occur. It is important to take measures on all fronts and layers: network, infrastructure, cloud, application, and database. Dealing with data also means that organizations need to encrypt sensitive information and carry out periodic backups to enable easy restoration of information in case of an attack.

7. As someone who's worked with sales teams previously, what is the role presales or support engineers play while interacting with customer-facing teams?

Sometimes as security engineers, we can get really technical, and this can confuse customers. We need to speak the "same language" to avoid this. Imagine saying this to a non-technical customer:

"Hey, customer, you have one cross site scripting in the frontend that is affecting your database layer due to a spring misconfiguration."

It is so much better to tell a customer something like this:

"In the application X, which is important for your business, there is a potential weakness in the main form, and an attacker can exploit it. It is important to fix it soon, as it has a big impact and an easy solution."

Presales or support security engineers play the role of linking sales and technical staff with customers.

8. You've mentioned that you work with the STRIDE threat modelling framework using IriusRisk. Could you please elaborate on this? How does the STRIDE threat modelling framework help you in your role?

I've always felt that threat modelling is amazing and that there is a whole lot to be discovered in the field. There are several experts, like Adam Shostack, who teach us how to decompose an application to identify threats. And this is the main goal of any threat modelling activity: Identifying possible threats.

Shostack suggests beginning a threat modelling activity by asking oneself four important questions:

1. What are we building?
2. What can go wrong?
3. What are we going to do about it?
4. Did we do a good job?

Asking oneself "what can go wrong?" is crucial, as it will give all the potential threats for any application. To achieve that, he proposes the technique: STRIDE, which consists of:

• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privileges

With these threats in mind, we could review our design and check if our application is likely to be a target for cyberattacks.

9. There has been a noticeable increase recently in phishing attacks. What is your opinion on this? How do you think this could be dealt with and prevented in the future?

Human beings are the likely target for any cyberattack in an organization. Social engineering attacks like phishing will always exist and we need to anticipate and prepare ourselves for them. I think there are two main ways to reduce the risk: improve our technology to detect phishing automatically (not always easy, as there are many sophisticated attacks) and train people to be aware of these threats.